Earlier this week, the Federal Trade Commission announced it would "use its full legal authority to pursue companies" that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities. Now security experts are trying to define what that means for companies' liability.
If anything, missing Log4j might look even more negligent, said Alan Brill, senior managing director for cyber risk at Kroll.
"We have been through a number of these events where we've seen the tools that we use have vulnerabilities discovered in them, so there's there's a lot more of a track record now than there was back when Equifax happened for companies saying 'We've been using this, it's got a vulnerability, we got to fix it," he said. "There is a great deal of more sophistication in terms of cybersecurity on the part of the compliance community and general counsel."
Indeed, FTC referenced its work in the Equifax case, noting that in the Equifax ruling, failure to patch a known vulnerability resulted in the company paying $700 million in fines.
Log4j and the Struts vulnerability exploited in Equifax are notionally similar; both are popular packages hosted by the Apache Foundation. But the vocal panic and urgency over Log4j has been substantially louder than Struts was only a few years earlier. In part, that has to do with an escalating threat environment, a more active FTC and SEC, and an increased understanding of cyber risk in the boardroom.
Still, said Brill, the FTC announcement reads like a warning directed at boardrooms more than practitioners about consistent, persistent diligence in the future.
"When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others," reads the FTC announcement.
The FTC makes a special point of saying that it will further investigate the role of open source dependencies in the future. It's one footnote is to a Patrick Howell O'Neill article in MIT Tech Review about the complexities in maintaining open source. The announcement is framed to at least imply that the FTC will approach the issue from more directions than regulatory fines.
That said, the fines may be top of mind for businesses, particularly smaller businesses with fewer staff devoted to infosec problems.
Brill said the amount of nuance the FTC will show in cyber enforcements is yet to be seen, but would ideally incorporate well-defined industry norms and business size norms. He said that the FTC has taken that nuance to heart in the past.
"If an organization is told, 'you've got to fix this problem' and they just ignore it, then certainly, you want to have some enforcement action, to motivate people to do the right thing and to indicate that there is a cost of not doing the right thing," he said. "What goes with that is the requirement that you use that enforcement capability with wisdom."